Milwaukee-based Metropolitan Urology Group began notifying patients that a November ransomware attack may have exposed their personal data. There were 17,634 patients affected, according to the U.S. Department of Health and Human Services’ Office for Civil Rights.

Two of the organization’s servers were infected by the virus, which may have exposed data of patients between 2003 and 2010. Officials said the data contained names, patient account numbers, provider identification, medical procedure codes and data of the provided services. About five of these patients had their Social Security numbers exposed.

All affected patients will receive one year of free credit monitoring. Metropolitan Urology also set-up a call center to field questions about the breach.

Metropolitan Urology has been working with an IT firm to remove the ransomware and is taking steps to prevent future attacks. According to the official statement, the organization blocked all traffic from the affected servers, improved its firewall, email security and protection on all employee devices and is also bolstering its policies and procedures.

The organization is currently conducting a risk analysis on its IT system to determine any other vulnerabilities. Officials said both Metropolitan Urology and its IT vendor, Digicorp, will undergo IT security training.

Metropolitan Urology said the attack happened on November 28, 2016, it became aware of the ransomware on January 10, and it started sending notifications on March 10.